Juniper issues out-of-band fix for critical vulnerability in Junos OS SRX Series and EX Series

A series of vulnerabilities have been identified in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series devices. By exploiting a combination of these vulnerabilities, an attacker who is not authenticated and operates over a network connection could potentially execute code remotely on the affected devices.

The summary CVSS score the combined vulnerabilities is 9.8

These vulnerabilities impact Juniper Networks Junos OS on SRX Series devices with the following versions:

• All versions before 20.4R3-S8
• 21.2 versions prior to 21.2R3-S6
• 21.3 versions prior to 21.3R3-S5
• 21.4 versions prior to 21.4R3-S5
• 22.1 versions prior to 22.1R3-S3
• 22.2 versions prior to 22.2R3-S2
• 22.3 versions prior to 22.3R2-S2, 22.3R3
• 22.4 versions prior to 22.4R2-S1, 22.4R3

These vulnerabilities also impact Juniper Networks Junos OS on EX Series devices with the following versions:

• All versions before 20.4R3-S8
• 21.2 versions prior to 21.2R3-S6
• 21.3 versions prior to 21.3R3-S5
• 21.4 versions prior to 21.4R3-S4
• 22.1 versions prior to 22.1R3-S3
• 22.2 versions prior to 22.2R3-S1
• 22.3 versions prior to 22.3R2-S2, 22.3R3
• 22.4 versions prior to 22.4R2-S1, 22.4R3

These vulnerabilities were identified as a result of external security research. The specific vulnerabilities that were discovered and subsequently resolved are as follows:

1. CVE-2023-36844 (CVSS3 score 5.3) It involves a PHP External Variable Modification issue within J-Web of Junos OS on EX Series. An unauthenticated attacker over a network can manipulate specific PHP environment variables by using a specially crafted request. This manipulation could lead to a partial loss of integrity, which might then be exploited in conjunction with other vulnerabilities.
2. CVE-2023-36845 (CVSS3 score 5.3) pertains to a PHP External Variable Modification flaw in J-Web of Junos OS, affecting both EX Series and SRX Series devices. By exploiting this vulnerability, an attacker can control specific critical environment variables using a crafted network request, resulting in a partial loss of integrity that could potentially be leveraged to exploit other vulnerabilities.
3. CVE-2023-36846 (CVSS3 score 5.3) this vulnerability involves a Missing Authentication for Critical Function issue in Junos OS on SRX Series. An unauthenticated attacker can carry out actions that negatively affect the integrity of the file system. Through a specific request that doesn't require authentication, the attacker can upload arbitrary files via J-Web, leading to a loss of integrity within a certain portion of the file system. This compromised integrity could be linked to other vulnerabilities.
4. CVE-2023-36847 (CVSS3 score 5.3) this vulnerability relates to a Missing Authentication for Critical Function flaw in Junos OS on EX Series devices. Similar to the previous vulnerability, this permits an unauthenticated attacker to undermine the integrity of the file system. By submitting a specific non-authenticated request, the attacker can upload arbitrary files via J-Web, causing a loss of integrity in a specific part of the file system, which may facilitate the chaining of other vulnerabilities.

To mitigate the risk of remote code execution, a patch needs to be applied per platform.

• For EX Series devices, PR 1735387 addresses this vulnerability in the following releases: 20.4R3-S8, 21.2R3-S6, 21.3R3-S5*, 21.4R3-S4, 22.1R3-S3, 22.2R3-S1, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3*, 23.2R1, and all subsequent releases.
• For SRX Series devices, PR 1735389 addresses this vulnerability in the same set of releases.

As a workaround, users can disable J-Web or restrict access to trusted hosts.

Update - on 25th of August WatchTowr Labs researchers have published a PoC exploit of the four vulnerabilities, creating a template for any automated attacks.